OpenSSH 8.7p1 patches rebase
This commit is contained in:
parent
b8319d7f17
commit
8f4d190341
@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
+ options->enable_k5users = -1;
|
+ options->enable_k5users = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->permit_empty_passwd = -1;
|
||||||
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
||||||
#endif
|
#endif
|
||||||
if (options->use_kuserok == -1)
|
if (options->use_kuserok == -1)
|
||||||
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
+ intptr = &options->enable_k5users;
|
+ intptr = &options->enable_k5users;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
case sPermitListen:
|
case sMatch:
|
||||||
case sPermitOpen:
|
if (cmdline)
|
||||||
if (opcode == sPermitListen) {
|
fatal("Match directive not supported as a command-line "
|
||||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
M_CP_INTOPT(ip_qos_bulk);
|
M_CP_INTOPT(ip_qos_bulk);
|
||||||
|
@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
+ options->use_kuserok = -1;
|
+ options->use_kuserok = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->permit_empty_passwd = -1;
|
||||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||||
if (options->gss_kex_algorithms == NULL)
|
if (options->gss_kex_algorithms == NULL)
|
||||||
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||||
@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -399,7 +402,7 @@ typedef enum {
|
@@ -399,7 +402,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
||||||
sChallengeResponseAuthentication,
|
sChallengeResponseAuthentication,
|
||||||
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||||
*inc_flags &= ~SSHCFG_MATCH_ONLY;
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+ case sKerberosUseKuserok:
|
+ case sKerberosUseKuserok:
|
||||||
+ intptr = &options->use_kuserok;
|
+ intptr = &options->use_kuserok;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
case sPermitListen:
|
case sMatch:
|
||||||
case sPermitOpen:
|
if (cmdline)
|
||||||
if (opcode == sPermitListen) {
|
fatal("Match directive not supported as a command-line "
|
||||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(client_alive_interval);
|
M_CP_INTOPT(client_alive_interval);
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
|
@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
|
|||||||
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
|
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
|
||||||
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
|
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
|
||||||
@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
|
|
||||||
errstr = "invalid environment string";
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
- if ((cp = strdup(opt)) == NULL)
|
|
||||||
+ if ((cp = strdup(opt)) == NULL) {
|
|
||||||
+ free(opt);
|
|
||||||
goto alloc_fail;
|
|
||||||
+ }
|
|
||||||
cp[tmp - opt] = '\0'; /* truncate at '=' */
|
|
||||||
if (!valid_env_name(cp)) {
|
|
||||||
free(cp);
|
|
||||||
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
|
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
|
|||||||
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
|
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
|
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
|
||||||
&hostkey_digest_len, hostkey)) {
|
&hostkey_digest, &hostkey_digest_len, hostkey)) {
|
||||||
error("Error calculating key fingerprint.");
|
error("Error calculating key fingerprint.");
|
||||||
freerrset(fingerprints);
|
freerrset(fingerprints);
|
||||||
+ free(dnskey_digest);
|
+ free(dnskey_digest);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
||||||
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
||||||
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
||||||
@ -316,6 +304,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
|
|||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (sa == NULL) {
|
if (sa == NULL) {
|
||||||
|
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
|
||||||
|
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
|
||||||
|
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
|
||||||
|
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
|
||||||
|
static void
|
||||||
|
pselect_notify_parent(void)
|
||||||
|
{
|
||||||
|
- if (notify_pipe[1] != -1)
|
||||||
|
+ if (notify_pipe[1] >= 0)
|
||||||
|
(void)write(notify_pipe[1], "", 1);
|
||||||
|
}
|
||||||
|
static void
|
||||||
|
pselect_notify_prepare(fd_set *readset)
|
||||||
|
{
|
||||||
|
- if (notify_pipe[0] != -1)
|
||||||
|
+ if (notify_pipe[0] >= 0)
|
||||||
|
FD_SET(notify_pipe[0], readset);
|
||||||
|
}
|
||||||
|
static void
|
||||||
|
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
|
||||||
|
{
|
||||||
|
char c;
|
||||||
|
|
||||||
|
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
|
||||||
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
|
||||||
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
|
debug2_f("reading");
|
||||||
|
FD_CLR(notify_pipe[0], readset);
|
||||||
|
}
|
||||||
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
||||||
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
|
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
|
||||||
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
|
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
|
||||||
@ -324,33 +342,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
|||||||
error("%.200s line %d: glob failed for %s.",
|
error("%.200s line %d: glob failed for %s.",
|
||||||
filename, linenum, arg2);
|
filename, linenum, arg2);
|
||||||
+ free(arg2);
|
+ free(arg2);
|
||||||
return -1;
|
goto out;
|
||||||
}
|
}
|
||||||
free(arg2);
|
free(arg2);
|
||||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
|
||||||
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
|
||||||
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
|
||||||
@@ -157,7 +157,7 @@ killchild(int signo)
|
@@ -186,11 +186,11 @@ killchild(int signo)
|
||||||
{
|
{
|
||||||
if (do_cmd_pid > 1) {
|
if (do_cmd_pid > 1) {
|
||||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
||||||
- waitpid(do_cmd_pid, NULL, 0);
|
- waitpid(do_cmd_pid, NULL, 0);
|
||||||
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
||||||
}
|
}
|
||||||
|
if (do_cmd_pid2 > 1) {
|
||||||
|
kill(do_cmd_pid2, signo ? signo : SIGTERM);
|
||||||
|
- waitpid(do_cmd_pid2, NULL, 0);
|
||||||
|
+ (void) waitpid(do_cmd_pid2, NULL, 0);
|
||||||
|
}
|
||||||
|
|
||||||
if (signo)
|
if (signo)
|
||||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||||
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
|
|
||||||
fatal("%s line %d: Missing subsystem name.",
|
|
||||||
filename, linenum);
|
|
||||||
if (!*activep) {
|
|
||||||
- arg = strdelim(&cp);
|
|
||||||
+ /*arg =*/ (void) strdelim(&cp);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
for (i = 0; i < options->num_subsystems; i++)
|
|
||||||
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
||||||
if (*activep && *charptr == NULL) {
|
if (*activep && *charptr == NULL) {
|
||||||
*charptr = tilde_expand_filename(arg, getuid());
|
*charptr = tilde_expand_filename(arg, getuid());
|
||||||
@ -363,37 +377,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
|
||||||
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
|
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
|
||||||
@@ -125,13 +125,13 @@ notify_setup(void)
|
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
|
||||||
static void
|
|
||||||
notify_parent(void)
|
|
||||||
{
|
|
||||||
- if (notify_pipe[1] != -1)
|
|
||||||
+ if (notify_pipe[1] >= 0)
|
|
||||||
(void)write(notify_pipe[1], "", 1);
|
|
||||||
}
|
|
||||||
static void
|
|
||||||
notify_prepare(fd_set *readset)
|
|
||||||
{
|
|
||||||
- if (notify_pipe[0] != -1)
|
|
||||||
+ if (notify_pipe[0] >= 0)
|
|
||||||
FD_SET(notify_pipe[0], readset);
|
|
||||||
}
|
|
||||||
static void
|
|
||||||
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
|
|
||||||
{
|
|
||||||
char c;
|
|
||||||
|
|
||||||
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
|
|
||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
|
||||||
debug2_f("reading");
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
|
||||||
debug_f("invalid tun");
|
debug_f("invalid tun");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
|
|||||||
diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
|
diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
|
||||||
--- openssh-8.6p1/auth.c.audit 2021-04-19 16:47:35.681061553 +0200
|
--- openssh-8.6p1/auth.c.audit 2021-04-19 16:47:35.681061553 +0200
|
||||||
+++ openssh-8.6p1/auth.c 2021-04-19 16:47:35.754062114 +0200
|
+++ openssh-8.6p1/auth.c 2021-04-19 16:47:35.754062114 +0200
|
||||||
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
- if (authenticated == 0 && !authctxt->postponed)
|
|
||||||
+ if (authenticated == 0 && !authctxt->postponed && !partial)
|
|
||||||
audit_event(ssh, audit_classify_auth(method));
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
|
@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
|
||||||
record_failed_login(ssh, user,
|
record_failed_login(ssh, user,
|
||||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||||
@ -1204,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
|
|||||||
|
|
||||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||||
- sigalg, ssh->compat, &sig_details);
|
- sigalg, ssh->compat, &sig_details);
|
||||||
debug3_f("%s %p signature %s%s%s", auth_method, key,
|
debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
|
||||||
(ret == 0) ? "verified" : "unverified",
|
(ret == 0) ? "verified" : "unverified",
|
||||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||||
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
|
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
|
|||||||
close_startup_pipes(void)
|
close_startup_pipes(void)
|
||||||
{
|
{
|
||||||
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
|
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
|
||||||
ssh_remote_port(the_active_state));
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
-/* Destroy the host and server keys. They will no longer be needed. */
|
-/* Destroy the host and server keys. They will no longer be needed. */
|
||||||
|
@ -504,15 +504,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
|
|||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@@ -506,7 +509,8 @@ typedef enum {
|
@@ -506,7 +509,8 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
+ sChallengeResponseAuthentication,
|
+ sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
@@ -593,11 +597,13 @@ static struct {
|
@@ -593,11 +597,13 @@ static struct {
|
||||||
#else
|
#else
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
|
|||||||
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and KbdInteractiveAuthentication to 'no'.
|
||||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||||
+# problems.
|
+# problems.
|
||||||
#UsePAM no
|
#UsePAM no
|
||||||
|
@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
|
|||||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||||
port-linux.o \
|
port-prngd.o \
|
||||||
port-solaris.o \
|
port-solaris.o \
|
||||||
port-net.o \
|
port-net.o \
|
||||||
- port-uw.o
|
- port-uw.o
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
||||||
--- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
|
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
|
||||||
+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
|
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
|
||||||
@@ -368,15 +368,13 @@ or
|
@@ -373,17 +373,13 @@ or
|
||||||
.Qq *.c.example.com
|
.Qq *.c.example.com
|
||||||
domains.
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||||
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
|
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
.Xr ssh 1
|
If the specified list begins with a
|
||||||
will not accept host certificates signed using algorithms other than those
|
.Sq +
|
||||||
specified.
|
character, then the specified algorithms will be appended to the default set
|
||||||
@@ -436,20 +434,25 @@ If the option is set to
|
@@ -445,20 +441,25 @@ If the option is set to
|
||||||
(the default),
|
(the default),
|
||||||
the check will not be executed.
|
the check will not be executed.
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The supported ciphers are:
|
The supported ciphers are:
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
|
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClearAllForwardings
|
.It Cm ClearAllForwardings
|
||||||
@@ -826,6 +822,11 @@ command line will be passed untouched to
|
@@ -874,6 +868,11 @@ command line will be passed untouched to
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
The list of key exchange algorithms that are offered for GSSAPI
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
key exchange. Possible values are
|
key exchange. Possible values are
|
||||||
.Bd -literal -offset 3n
|
.Bd -literal -offset 3n
|
||||||
@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
|
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
@@ -1169,29 +1168,25 @@ it may be zero or more of:
|
@@ -1219,29 +1216,25 @@ it may be zero or more of:
|
||||||
and
|
and
|
||||||
.Cm pam .
|
.Cm pam .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@@ -1301,37 +1296,33 @@ function, and all code in the
|
@@ -1351,37 +1344,33 @@ function, and all code in the
|
||||||
file.
|
file.
|
||||||
This option is intended for debugging and no overrides are enabled by default.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm NoHostAuthenticationForLocalhost
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
|
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
.It Cm PubkeyAcceptedAlgorithms
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available signature algorithms may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
|
||||||
--- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
|
--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
|
||||||
+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
|
+++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
|
||||||
@@ -373,15 +373,13 @@ If the argument is
|
@@ -373,17 +373,13 @@ If the argument is
|
||||||
then no banner is displayed.
|
then no banner is displayed.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||||
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
|
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
Certificates signed using other algorithms will not be accepted for
|
If the specified list begins with a
|
||||||
public key or host-based authentication.
|
.Sq +
|
||||||
.It Cm ChallengeResponseAuthentication
|
character, then the specified algorithms will be appended to the default set
|
||||||
@@ -445,20 +443,25 @@ The default is
|
@@ -450,20 +446,25 @@ The default is
|
||||||
indicating not to
|
indicating not to
|
||||||
.Xr chroot 2 .
|
.Xr chroot 2 .
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The supported ciphers are:
|
The supported ciphers are:
|
||||||
.Pp
|
.Pp
|
||||||
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
|
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClientAliveCountMax
|
.It Cm ClientAliveCountMax
|
||||||
@@ -680,21 +676,22 @@ For this to work
|
@@ -685,21 +679,22 @@ For this to work
|
||||||
.Cm GSSAPIKeyExchange
|
.Cm GSSAPIKeyExchange
|
||||||
needs to be enabled in the server and also used by the client.
|
needs to be enabled in the server and also used by the client.
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
This option only applies to connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedAlgorithms
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
Specifies the signature algorithms that will be accepted for hostbased
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
@@ -794,26 +791,13 @@ is specified, the location of the socket
|
@@ -799,26 +794,13 @@ is specified, the location of the socket
|
||||||
.Ev SSH_AUTH_SOCK
|
.Ev SSH_AUTH_SOCK
|
||||||
environment variable.
|
environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
The list of available signature algorithms may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
.It Cm IgnoreRhosts
|
.It Cm IgnoreRhosts
|
||||||
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
|
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
The supported algorithms are:
|
The supported algorithms are:
|
||||||
.Pp
|
.Pp
|
||||||
.Bl -item -compact -offset indent
|
.Bl -item -compact -offset indent
|
||||||
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
|
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
|
||||||
sntrup761x25519-sha512@openssh.com
|
sntrup761x25519-sha512@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq ssh -Q KexAlgorithms .
|
||||||
.It Cm ListenAddress
|
.It Cm ListenAddress
|
||||||
@@ -1097,21 +1077,26 @@ function, and all code in the
|
@@ -1104,21 +1082,26 @@ function, and all code in the
|
||||||
file.
|
file.
|
||||||
This option is intended for debugging and no overrides are enabled by default.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The algorithms that contain
|
The algorithms that contain
|
||||||
.Qq -etm
|
.Qq -etm
|
||||||
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
|
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
|
||||||
umac-128-etm@openssh.com
|
umac-128-etm@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm Match
|
.It Cm Match
|
||||||
@@ -1541,37 +1517,25 @@ or equivalent.)
|
@@ -1548,37 +1522,25 @@ or equivalent.)
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm PubkeyAcceptedAlgorithms
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
|
@ -19,11 +19,10 @@ index e7549470..b68c1710 100644
|
|||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
srclimit.o sftp-server.o sftp-common.o \
|
srclimit.o sftp-server.o sftp-common.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
diff --git a/auth.c b/auth.c
|
diff -up a/auth.c.gsskex b/auth.c
|
||||||
index 086b8ebb..687c57b4 100644
|
--- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200
|
||||||
--- a/auth.c
|
+++ b/auth.c 2021-08-27 12:41:51.262788953 +0200
|
||||||
+++ b/auth.c
|
@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
|
||||||
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
|
||||||
case PERMIT_NO_PASSWD:
|
case PERMIT_NO_PASSWD:
|
||||||
if (strcmp(method, "publickey") == 0 ||
|
if (strcmp(method, "publickey") == 0 ||
|
||||||
strcmp(method, "hostbased") == 0 ||
|
strcmp(method, "hostbased") == 0 ||
|
||||||
@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644
|
|||||||
return 1;
|
return 1;
|
||||||
break;
|
break;
|
||||||
case PERMIT_FORCED_ONLY:
|
case PERMIT_FORCED_ONLY:
|
||||||
@@ -724,99 +725,6 @@ fakepw(void)
|
@@ -730,97 +731,6 @@ fakepw(void)
|
||||||
return (&fake);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
-/*
|
/*
|
||||||
- * Returns the remote DNS hostname as a string. The returned string must not
|
- * Returns the remote DNS hostname as a string. The returned string must not
|
||||||
- * be freed. NB. this will usually trigger a DNS query the first time it is
|
- * be freed. NB. this will usually trigger a DNS query the first time it is
|
||||||
- * called.
|
- * called.
|
||||||
- * This function does additional checks on the hostname to mitigate some
|
- * This function does additional checks on the hostname to mitigate some
|
||||||
- * attacks on legacy rhosts-style authentication.
|
- * attacks on based on conflation of hostnames and IP addresses.
|
||||||
- * XXX is RhostsRSAAuthentication vulnerable to these?
|
|
||||||
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
|
|
||||||
- */
|
- */
|
||||||
-
|
-
|
||||||
-static char *
|
-static char *
|
||||||
@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644
|
|||||||
- return xstrdup(name);
|
- return xstrdup(name);
|
||||||
-}
|
-}
|
||||||
-
|
-
|
||||||
/*
|
-/*
|
||||||
* Return the canonical name of the host in the other side of the current
|
* Return the canonical name of the host in the other side of the current
|
||||||
* connection. The host name is cached, so it is efficient to call this
|
* connection. The host name is cached, so it is efficient to call this
|
||||||
|
* several times.
|
||||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
diff --git a/auth2-gss.c b/auth2-gss.c
|
||||||
index 9351e042..d6446c0c 100644
|
index 9351e042..d6446c0c 100644
|
||||||
--- a/auth2-gss.c
|
--- a/auth2-gss.c
|
||||||
@ -2913,10 +2910,9 @@ index 23ab096a..485590c1 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
diff --git a/readconf.c b/readconf.c
|
diff -up a/readconf.c.gsskex b/readconf.c
|
||||||
index f3cac6b3..da8022dd 100644
|
--- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
|
||||||
--- a/readconf.c
|
+++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200
|
||||||
+++ b/readconf.c
|
|
||||||
@@ -67,6 +67,7 @@
|
@@ -67,6 +67,7 @@
|
||||||
#include "uidswap.h"
|
#include "uidswap.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
@ -2925,7 +2921,7 @@ index f3cac6b3..da8022dd 100644
|
|||||||
|
|
||||||
/* Format of the configuration file:
|
/* Format of the configuration file:
|
||||||
|
|
||||||
@@ -160,6 +161,8 @@ typedef enum {
|
@@ -161,6 +162,8 @@ typedef enum {
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||||
@ -2934,7 +2930,7 @@ index f3cac6b3..da8022dd 100644
|
|||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
oHashKnownHosts,
|
oHashKnownHosts,
|
||||||
@@ -204,10 +207,22 @@ static struct {
|
@@ -206,10 +209,22 @@ static struct {
|
||||||
/* Sometimes-unsupported options */
|
/* Sometimes-unsupported options */
|
||||||
#if defined(GSSAPI)
|
#if defined(GSSAPI)
|
||||||
{ "gssapiauthentication", oGssAuthentication },
|
{ "gssapiauthentication", oGssAuthentication },
|
||||||
@ -2957,7 +2953,7 @@ index f3cac6b3..da8022dd 100644
|
|||||||
#endif
|
#endif
|
||||||
#ifdef ENABLE_PKCS11
|
#ifdef ENABLE_PKCS11
|
||||||
{ "pkcs11provider", oPKCS11Provider },
|
{ "pkcs11provider", oPKCS11Provider },
|
||||||
@@ -1029,10 +1044,42 @@ parse_time:
|
@@ -1113,10 +1128,42 @@ parse_time:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -2986,7 +2982,7 @@ index f3cac6b3..da8022dd 100644
|
|||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
+ case oGssKexAlgorithms:
|
+ case oGssKexAlgorithms:
|
||||||
+ arg = strdelim(&s);
|
+ arg = argv_next(&ac, &av);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
+ filename, linenum);
|
+ filename, linenum);
|
||||||
@ -3000,9 +2996,9 @@ index f3cac6b3..da8022dd 100644
|
|||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
|
@@ -2306,7 +2353,13 @@ initialize_options(Options * options)
|
||||||
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
|
||||||
options->gss_authentication = -1;
|
options->gss_authentication = -1;
|
||||||
+ options->gss_keyex = -1;
|
+ options->gss_keyex = -1;
|
||||||
options->gss_deleg_creds = -1;
|
options->gss_deleg_creds = -1;
|
||||||
@ -3014,8 +3010,8 @@ index f3cac6b3..da8022dd 100644
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->kbd_interactive_devices = NULL;
|
options->kbd_interactive_devices = NULL;
|
||||||
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
|
@@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
|
||||||
options->challenge_response_authentication = 1;
|
options->pubkey_authentication = 1;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
+ if (options->gss_keyex == -1)
|
+ if (options->gss_keyex == -1)
|
||||||
@ -3033,7 +3029,7 @@ index f3cac6b3..da8022dd 100644
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
|
@@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha
|
||||||
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
||||||
@ -3048,13 +3044,12 @@ index f3cac6b3..da8022dd 100644
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
||||||
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
||||||
diff --git a/readconf.h b/readconf.h
|
diff -up a/readconf.h.gsskex b/readconf.h
|
||||||
index feedb3d2..a8a8870d 100644
|
--- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200
|
||||||
--- a/readconf.h
|
+++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200
|
||||||
+++ b/readconf.h
|
@@ -39,7 +39,13 @@ typedef struct {
|
||||||
@@ -41,7 +41,13 @@ typedef struct {
|
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
|
||||||
int challenge_response_authentication;
|
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
||||||
/* Try S/Key or TIS, authentication. */
|
|
||||||
int gss_authentication; /* Try GSS authentication */
|
int gss_authentication; /* Try GSS authentication */
|
||||||
+ int gss_keyex; /* Try GSS key exchange */
|
+ int gss_keyex; /* Try GSS key exchange */
|
||||||
int gss_deleg_creds; /* Delegate GSS credentials */
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
||||||
@ -3066,11 +3061,10 @@ index feedb3d2..a8a8870d 100644
|
|||||||
int password_authentication; /* Try password
|
int password_authentication; /* Try password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
diff --git a/servconf.c b/servconf.c
|
diff -up a/servconf.c.gsskex b/servconf.c
|
||||||
index 70f5f73f..191575a1 100644
|
--- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
|
||||||
--- a/servconf.c
|
+++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200
|
||||||
+++ b/servconf.c
|
@@ -70,6 +70,7 @@
|
||||||
@@ -69,6 +69,7 @@
|
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -3078,7 +3072,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, const char *,
|
static void add_listen_addr(ServerOptions *, const char *,
|
||||||
const char *, int);
|
const char *, int);
|
||||||
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
|
@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
@ -3089,8 +3083,8 @@ index 70f5f73f..191575a1 100644
|
|||||||
+ options->gss_kex_algorithms = NULL;
|
+ options->gss_kex_algorithms = NULL;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->permit_empty_passwd = -1;
|
||||||
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
|
@@ -356,10 +360,18 @@ fill_default_server_options(ServerOption
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -3109,7 +3103,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -531,6 +543,7 @@ typedef enum {
|
@@ -506,6 +518,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
@ -3117,7 +3111,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
@@ -607,12 +620,22 @@ static struct {
|
@@ -587,12 +600,22 @@ static struct {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
@ -3139,8 +3133,8 @@ index 70f5f73f..191575a1 100644
|
|||||||
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
|
||||||
@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
@@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -3151,7 +3145,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
case sGssCleanupCreds:
|
case sGssCleanupCreds:
|
||||||
intptr = &options->gss_cleanup_creds;
|
intptr = &options->gss_cleanup_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
@@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO
|
||||||
intptr = &options->gss_strict_acceptor;
|
intptr = &options->gss_strict_acceptor;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -3160,7 +3154,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
+ case sGssKexAlgorithms:
|
+ case sGssKexAlgorithms:
|
||||||
+ arg = strdelim(&cp);
|
+ arg = argv_next(&ac, &av);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
+ filename, linenum);
|
+ filename, linenum);
|
||||||
@ -3174,7 +3168,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
|
@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac
|
diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac
|
||||||
--- openssh-8.6p1/configure.ac.pkcs11-uri 2021-04-19 14:57:30.307370482 +0200
|
--- openssh-8.7p1/configure.ac.pkcs11-uri 2021-08-30 13:07:43.646699953 +0200
|
||||||
+++ openssh-8.6p1/configure.ac 2021-04-19 14:57:30.315370543 +0200
|
+++ openssh-8.7p1/configure.ac 2021-08-30 13:07:43.662700088 +0200
|
||||||
@@ -1974,12 +1974,14 @@ AC_LINK_IFELSE(
|
@@ -1985,12 +1985,14 @@ AC_LINK_IFELSE(
|
||||||
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
|
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
|
||||||
])
|
])
|
||||||
|
|
||||||
@ -16,7 +16,7 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac
|
|||||||
fi
|
fi
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
@@ -2008,6 +2010,40 @@ AC_SEARCH_LIBS([dlopen], [dl])
|
@@ -2019,6 +2021,40 @@ AC_SEARCH_LIBS([dlopen], [dl])
|
||||||
AC_CHECK_FUNCS([dlopen])
|
AC_CHECK_FUNCS([dlopen])
|
||||||
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
|
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
|
||||||
|
|
||||||
@ -57,7 +57,7 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac
|
|||||||
# IRIX has a const char return value for gai_strerror()
|
# IRIX has a const char return value for gai_strerror()
|
||||||
AC_CHECK_FUNCS([gai_strerror], [
|
AC_CHECK_FUNCS([gai_strerror], [
|
||||||
AC_DEFINE([HAVE_GAI_STRERROR])
|
AC_DEFINE([HAVE_GAI_STRERROR])
|
||||||
@@ -5564,6 +5600,7 @@ echo " BSD Auth support
|
@@ -5624,6 +5660,7 @@ echo " BSD Auth support
|
||||||
echo " Random number source: $RAND_MSG"
|
echo " Random number source: $RAND_MSG"
|
||||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||||
echo " PKCS#11 support: $enable_pkcs11"
|
echo " PKCS#11 support: $enable_pkcs11"
|
||||||
@ -65,9 +65,9 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac
|
|||||||
echo " U2F/FIDO support: $enable_sk"
|
echo " U2F/FIDO support: $enable_sk"
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
|
||||||
--- openssh-8.6p1/Makefile.in.pkcs11-uri 2021-04-19 14:57:30.261370134 +0200
|
--- openssh-8.7p1/Makefile.in.pkcs11-uri 2021-08-30 13:07:43.571699324 +0200
|
||||||
+++ openssh-8.6p1/Makefile.in 2021-04-19 15:14:38.916155695 +0200
|
+++ openssh-8.7p1/Makefile.in 2021-08-30 13:07:43.663700096 +0200
|
||||||
@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
|
||||||
ssh-ed25519-sk.o ssh-rsa.o dh.o \
|
ssh-ed25519-sk.o ssh-rsa.o dh.o \
|
||||||
@ -77,7 +77,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
|||||||
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
|
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
|
||||||
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
||||||
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
|
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
|
||||||
@@ -300,6 +300,8 @@ clean: regressclean
|
@@ -302,6 +302,8 @@ clean: regressclean
|
||||||
rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT)
|
rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT)
|
||||||
rm -f regress/unittests/utf8/*.o
|
rm -f regress/unittests/utf8/*.o
|
||||||
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
||||||
@ -86,7 +86,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
|||||||
rm -f regress/misc/sk-dummy/*.o
|
rm -f regress/misc/sk-dummy/*.o
|
||||||
rm -f regress/misc/sk-dummy/*.lo
|
rm -f regress/misc/sk-dummy/*.lo
|
||||||
rm -f regress/misc/sk-dummy/sk-dummy.so
|
rm -f regress/misc/sk-dummy/sk-dummy.so
|
||||||
@@ -337,6 +339,8 @@ distclean: regressclean
|
@@ -339,6 +341,8 @@ distclean: regressclean
|
||||||
rm -f regress/unittests/sshsig/test_sshsig
|
rm -f regress/unittests/sshsig/test_sshsig
|
||||||
rm -f regress/unittests/utf8/*.o
|
rm -f regress/unittests/utf8/*.o
|
||||||
rm -f regress/unittests/utf8/test_utf8
|
rm -f regress/unittests/utf8/test_utf8
|
||||||
@ -95,7 +95,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
|||||||
(cd openbsd-compat && $(MAKE) distclean)
|
(cd openbsd-compat && $(MAKE) distclean)
|
||||||
if test -d pkg ; then \
|
if test -d pkg ; then \
|
||||||
rm -fr pkg ; \
|
rm -fr pkg ; \
|
||||||
@@ -511,6 +515,7 @@ regress-prep:
|
@@ -513,6 +517,7 @@ regress-prep:
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/sshkey
|
$(MKDIR_P) `pwd`/regress/unittests/sshkey
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/sshsig
|
$(MKDIR_P) `pwd`/regress/unittests/sshsig
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
||||||
@ -103,7 +103,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
|||||||
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
||||||
[ -f `pwd`/regress/Makefile ] || \
|
[ -f `pwd`/regress/Makefile ] || \
|
||||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||||
@@ -674,6 +679,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT
|
@@ -677,6 +682,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT
|
||||||
regress/unittests/test_helper/libtest_helper.a \
|
regress/unittests/test_helper/libtest_helper.a \
|
||||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
@ -120,17 +120,19 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
|
|||||||
# These all need to be compiled -fPIC, so they are treated differently.
|
# These all need to be compiled -fPIC, so they are treated differently.
|
||||||
SK_DUMMY_OBJS=\
|
SK_DUMMY_OBJS=\
|
||||||
regress/misc/sk-dummy/sk-dummy.lo \
|
regress/misc/sk-dummy/sk-dummy.lo \
|
||||||
@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE
|
@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE
|
||||||
|
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
|
||||||
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
|
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
|
||||||
regress/unittests/sshsig/test_sshsig$(EXEEXT) \
|
regress/unittests/sshsig/test_sshsig$(EXEEXT) \
|
||||||
regress/unittests/utf8/test_utf8$(EXEEXT) \
|
- regress/unittests/utf8/test_utf8$(EXEEXT)
|
||||||
|
+ regress/unittests/utf8/test_utf8$(EXEEXT) \
|
||||||
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
||||||
|
|
||||||
tests: file-tests t-exec interop-tests unit
|
tests: file-tests t-exec interop-tests unit
|
||||||
echo all tests passed
|
echo all tests passed
|
||||||
diff -up openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/agent-pkcs11.sh
|
diff -up openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/agent-pkcs11.sh
|
||||||
--- openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/regress/agent-pkcs11.sh 2021-04-19 14:57:30.316370550 +0200
|
+++ openssh-8.7p1/regress/agent-pkcs11.sh 2021-08-30 13:07:43.663700096 +0200
|
||||||
@@ -113,7 +113,7 @@ else
|
@@ -113,7 +113,7 @@ else
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -140,10 +142,10 @@ diff -up openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/
|
|||||||
r=$?
|
r=$?
|
||||||
if [ $r -ne 0 ]; then
|
if [ $r -ne 0 ]; then
|
||||||
fail "ssh-add -e failed: exit code $r"
|
fail "ssh-add -e failed: exit code $r"
|
||||||
diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefile
|
diff -up openssh-8.7p1/regress/Makefile.pkcs11-uri openssh-8.7p1/regress/Makefile
|
||||||
--- openssh-8.6p1/regress/Makefile.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/regress/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/regress/Makefile 2021-04-19 15:15:44.411651410 +0200
|
+++ openssh-8.7p1/regress/Makefile 2021-08-30 13:07:43.663700096 +0200
|
||||||
@@ -119,7 +119,8 @@ CLEANFILES= *.core actual agent-key.* au
|
@@ -122,7 +122,8 @@ CLEANFILES= *.core actual agent-key.* au
|
||||||
known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
|
known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
|
||||||
modpipe netcat no_identity_config \
|
modpipe netcat no_identity_config \
|
||||||
pidfile putty.rsa2 ready regress.log remote_pid \
|
pidfile putty.rsa2 ready regress.log remote_pid \
|
||||||
@ -153,7 +155,7 @@ diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefil
|
|||||||
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
|
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
|
||||||
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
|
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
|
||||||
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
|
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
|
||||||
@@ -249,8 +250,9 @@ unit:
|
@@ -252,8 +253,9 @@ unit:
|
||||||
V="" ; \
|
V="" ; \
|
||||||
test "x${USE_VALGRIND}" = "x" || \
|
test "x${USE_VALGRIND}" = "x" || \
|
||||||
V=${.CURDIR}/valgrind-unit.sh ; \
|
V=${.CURDIR}/valgrind-unit.sh ; \
|
||||||
@ -165,9 +167,9 @@ diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefil
|
|||||||
-d ${.CURDIR}/unittests/sshkey/testdata ; \
|
-d ${.CURDIR}/unittests/sshkey/testdata ; \
|
||||||
$$V ${.OBJDIR}/unittests/sshsig/test_sshsig \
|
$$V ${.OBJDIR}/unittests/sshsig/test_sshsig \
|
||||||
-d ${.CURDIR}/unittests/sshsig/testdata ; \
|
-d ${.CURDIR}/unittests/sshsig/testdata ; \
|
||||||
diff -up openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/pkcs11.sh
|
diff -up openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/pkcs11.sh
|
||||||
--- openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri 2021-04-19 14:57:30.316370550 +0200
|
--- openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri 2021-08-30 13:07:43.663700096 +0200
|
||||||
+++ openssh-8.6p1/regress/pkcs11.sh 2021-04-19 14:57:30.316370550 +0200
|
+++ openssh-8.7p1/regress/pkcs11.sh 2021-08-30 13:07:43.663700096 +0200
|
||||||
@@ -0,0 +1,349 @@
|
@@ -0,0 +1,349 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (c) 2017 Red Hat
|
+# Copyright (c) 2017 Red Hat
|
||||||
@ -518,9 +520,9 @@ diff -up openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/pkcs11
|
|||||||
+ trace "kill agent"
|
+ trace "kill agent"
|
||||||
+ ${SSHAGENT} -k > /dev/null
|
+ ${SSHAGENT} -k > /dev/null
|
||||||
+fi
|
+fi
|
||||||
diff -up openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri openssh-8.6p1/regress/unittests/Makefile
|
diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regress/unittests/Makefile
|
||||||
--- openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/regress/unittests/Makefile 2021-04-19 14:57:30.316370550 +0200
|
+++ openssh-8.7p1/regress/unittests/Makefile 2021-08-30 13:07:43.663700096 +0200
|
||||||
@@ -2,6 +2,6 @@
|
@@ -2,6 +2,6 @@
|
||||||
|
|
||||||
REGRESS_FAIL_EARLY?= yes
|
REGRESS_FAIL_EARLY?= yes
|
||||||
@ -529,9 +531,9 @@ diff -up openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri openssh-8.6p1/regre
|
|||||||
+SUBDIR+=authopt misc sshsig pkcs11
|
+SUBDIR+=authopt misc sshsig pkcs11
|
||||||
|
|
||||||
.include <bsd.subdir.mk>
|
.include <bsd.subdir.mk>
|
||||||
diff -up openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.6p1/regress/unittests/pkcs11/tests.c
|
diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c
|
||||||
--- openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-04-19 14:57:30.317370558 +0200
|
--- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-08-30 13:07:43.664700104 +0200
|
||||||
+++ openssh-8.6p1/regress/unittests/pkcs11/tests.c 2021-04-19 14:57:30.317370558 +0200
|
+++ openssh-8.7p1/regress/unittests/pkcs11/tests.c 2021-08-30 13:07:43.664700104 +0200
|
||||||
@@ -0,0 +1,337 @@
|
@@ -0,0 +1,337 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
@ -870,9 +872,9 @@ diff -up openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.6p1
|
|||||||
+ test_parse_invalid();
|
+ test_parse_invalid();
|
||||||
+ test_generate_valid();
|
+ test_generate_valid();
|
||||||
+}
|
+}
|
||||||
diff -up openssh-8.6p1/ssh-add.c.pkcs11-uri openssh-8.6p1/ssh-add.c
|
diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
|
||||||
--- openssh-8.6p1/ssh-add.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-add.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-add.c 2021-04-19 14:57:30.317370558 +0200
|
+++ openssh-8.7p1/ssh-add.c 2021-08-30 13:07:43.664700104 +0200
|
||||||
@@ -68,6 +68,7 @@
|
@@ -68,6 +68,7 @@
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
#include "ssh-sk.h"
|
#include "ssh-sk.h"
|
||||||
@ -952,9 +954,9 @@ diff -up openssh-8.6p1/ssh-add.c.pkcs11-uri openssh-8.6p1/ssh-add.c
|
|||||||
ret = 1;
|
ret = 1;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
diff -up openssh-8.6p1/ssh-agent.c.pkcs11-uri openssh-8.6p1/ssh-agent.c
|
diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c
|
||||||
--- openssh-8.6p1/ssh-agent.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-agent.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-agent.c 2021-04-19 14:57:30.317370558 +0200
|
+++ openssh-8.7p1/ssh-agent.c 2021-08-30 13:07:43.664700104 +0200
|
||||||
@@ -847,10 +847,72 @@ no_identities(SocketEntry *e)
|
@@ -847,10 +847,72 @@ no_identities(SocketEntry *e)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1125,10 +1127,10 @@ diff -up openssh-8.6p1/ssh-agent.c.pkcs11-uri openssh-8.6p1/ssh-agent.c
|
|||||||
send_status(e, success);
|
send_status(e, success);
|
||||||
}
|
}
|
||||||
#endif /* ENABLE_PKCS11 */
|
#endif /* ENABLE_PKCS11 */
|
||||||
diff -up openssh-8.6p1/ssh_config.5.pkcs11-uri openssh-8.6p1/ssh_config.5
|
diff -up openssh-8.7p1/ssh_config.5.pkcs11-uri openssh-8.7p1/ssh_config.5
|
||||||
--- openssh-8.6p1/ssh_config.5.pkcs11-uri 2021-04-19 14:57:30.269370194 +0200
|
--- openssh-8.7p1/ssh_config.5.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200
|
||||||
+++ openssh-8.6p1/ssh_config.5 2021-04-19 14:57:30.321370588 +0200
|
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:07:43.664700104 +0200
|
||||||
@@ -1063,6 +1063,21 @@ may also be used in conjunction with
|
@@ -1111,6 +1111,21 @@ may also be used in conjunction with
|
||||||
.Cm CertificateFile
|
.Cm CertificateFile
|
||||||
in order to provide any certificate also needed for authentication with
|
in order to provide any certificate also needed for authentication with
|
||||||
the identity.
|
the identity.
|
||||||
@ -1150,10 +1152,10 @@ diff -up openssh-8.6p1/ssh_config.5.pkcs11-uri openssh-8.6p1/ssh_config.5
|
|||||||
.It Cm IgnoreUnknown
|
.It Cm IgnoreUnknown
|
||||||
Specifies a pattern-list of unknown options to be ignored if they are
|
Specifies a pattern-list of unknown options to be ignored if they are
|
||||||
encountered in configuration parsing.
|
encountered in configuration parsing.
|
||||||
diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
diff -up openssh-8.7p1/ssh.c.pkcs11-uri openssh-8.7p1/ssh.c
|
||||||
--- openssh-8.6p1/ssh.c.pkcs11-uri 2021-04-19 14:57:30.269370194 +0200
|
--- openssh-8.7p1/ssh.c.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200
|
||||||
+++ openssh-8.6p1/ssh.c 2021-04-19 15:17:05.804267447 +0200
|
+++ openssh-8.7p1/ssh.c 2021-08-30 13:07:43.666700121 +0200
|
||||||
@@ -843,6 +843,14 @@ main(int ac, char **av)
|
@@ -826,6 +826,14 @@ main(int ac, char **av)
|
||||||
options.gss_deleg_creds = 1;
|
options.gss_deleg_creds = 1;
|
||||||
break;
|
break;
|
||||||
case 'i':
|
case 'i':
|
||||||
@ -1168,7 +1170,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
|||||||
p = tilde_expand_filename(optarg, getuid());
|
p = tilde_expand_filename(optarg, getuid());
|
||||||
if (stat(p, &st) == -1)
|
if (stat(p, &st) == -1)
|
||||||
fprintf(stderr, "Warning: Identity file %s "
|
fprintf(stderr, "Warning: Identity file %s "
|
||||||
@@ -1695,6 +1703,7 @@ main(int ac, char **av)
|
@@ -1681,6 +1689,7 @@ main(int ac, char **av)
|
||||||
#ifdef ENABLE_PKCS11
|
#ifdef ENABLE_PKCS11
|
||||||
(void)pkcs11_del_provider(options.pkcs11_provider);
|
(void)pkcs11_del_provider(options.pkcs11_provider);
|
||||||
#endif
|
#endif
|
||||||
@ -1176,7 +1178,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
|||||||
|
|
||||||
skip_connect:
|
skip_connect:
|
||||||
exit_status = ssh_session2(ssh, cinfo);
|
exit_status = ssh_session2(ssh, cinfo);
|
||||||
@@ -2211,6 +2220,45 @@ ssh_session2(struct ssh *ssh, const stru
|
@@ -2197,6 +2206,45 @@ ssh_session2(struct ssh *ssh, const stru
|
||||||
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1222,7 +1224,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
|||||||
/* Loads all IdentityFile and CertificateFile keys */
|
/* Loads all IdentityFile and CertificateFile keys */
|
||||||
static void
|
static void
|
||||||
load_public_identity_files(const struct ssh_conn_info *cinfo)
|
load_public_identity_files(const struct ssh_conn_info *cinfo)
|
||||||
@@ -2225,11 +2273,6 @@ load_public_identity_files(const struct
|
@@ -2211,11 +2259,6 @@ load_public_identity_files(const struct
|
||||||
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
||||||
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
||||||
int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
|
int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
|
||||||
@ -1234,7 +1236,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
|||||||
|
|
||||||
n_ids = n_certs = 0;
|
n_ids = n_certs = 0;
|
||||||
memset(identity_files, 0, sizeof(identity_files));
|
memset(identity_files, 0, sizeof(identity_files));
|
||||||
@@ -2242,33 +2285,46 @@ load_public_identity_files(const struct
|
@@ -2228,33 +2271,46 @@ load_public_identity_files(const struct
|
||||||
sizeof(certificate_file_userprovided));
|
sizeof(certificate_file_userprovided));
|
||||||
|
|
||||||
#ifdef ENABLE_PKCS11
|
#ifdef ENABLE_PKCS11
|
||||||
@ -1300,9 +1302,9 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c
|
|||||||
filename = default_client_percent_dollar_expand(cp, cinfo);
|
filename = default_client_percent_dollar_expand(cp, cinfo);
|
||||||
free(cp);
|
free(cp);
|
||||||
check_load(sshkey_load_public(filename, &public, NULL),
|
check_load(sshkey_load_public(filename, &public, NULL),
|
||||||
diff -up openssh-8.6p1/ssh-keygen.c.pkcs11-uri openssh-8.6p1/ssh-keygen.c
|
diff -up openssh-8.7p1/ssh-keygen.c.pkcs11-uri openssh-8.7p1/ssh-keygen.c
|
||||||
--- openssh-8.6p1/ssh-keygen.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-keygen.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-keygen.c 2021-04-19 14:57:30.318370565 +0200
|
+++ openssh-8.7p1/ssh-keygen.c 2021-08-30 13:07:43.666700121 +0200
|
||||||
@@ -860,8 +860,11 @@ do_download(struct passwd *pw)
|
@@ -860,8 +860,11 @@ do_download(struct passwd *pw)
|
||||||
free(fp);
|
free(fp);
|
||||||
} else {
|
} else {
|
||||||
@ -1317,9 +1319,9 @@ diff -up openssh-8.6p1/ssh-keygen.c.pkcs11-uri openssh-8.6p1/ssh-keygen.c
|
|||||||
}
|
}
|
||||||
free(comments[i]);
|
free(comments[i]);
|
||||||
sshkey_free(keys[i]);
|
sshkey_free(keys[i]);
|
||||||
diff -up openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-client.c
|
diff -up openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-client.c
|
||||||
--- openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-pkcs11-client.c 2021-04-19 14:57:30.318370565 +0200
|
+++ openssh-8.7p1/ssh-pkcs11-client.c 2021-08-30 13:07:43.666700121 +0200
|
||||||
@@ -323,6 +323,8 @@ pkcs11_add_provider(char *name, char *pi
|
@@ -323,6 +323,8 @@ pkcs11_add_provider(char *name, char *pi
|
||||||
u_int nkeys, i;
|
u_int nkeys, i;
|
||||||
struct sshbuf *msg;
|
struct sshbuf *msg;
|
||||||
@ -1337,9 +1339,9 @@ diff -up openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-c
|
|||||||
for (i = 0; i < nkeys; i++) {
|
for (i = 0; i < nkeys; i++) {
|
||||||
/* XXX clean up properly instead of fatal() */
|
/* XXX clean up properly instead of fatal() */
|
||||||
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
||||||
diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||||
--- openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-pkcs11.c 2021-04-19 14:57:30.320370580 +0200
|
+++ openssh-8.7p1/ssh-pkcs11.c 2021-08-30 13:12:27.709084157 +0200
|
||||||
@@ -55,8 +55,8 @@ struct pkcs11_slotinfo {
|
@@ -55,8 +55,8 @@ struct pkcs11_slotinfo {
|
||||||
int logged_in;
|
int logged_in;
|
||||||
};
|
};
|
||||||
@ -1383,8 +1385,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
CK_ULONG i;
|
CK_ULONG i;
|
||||||
|
|
||||||
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
|
- debug_f("provider \"%s\" refcount %d valid %d",
|
||||||
- p, p->refcount, p->valid);
|
- p->name, p->refcount, p->valid);
|
||||||
- if (!p->valid)
|
- if (!p->valid)
|
||||||
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
|
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
|
||||||
+ if (!m->valid)
|
+ if (!m->valid)
|
||||||
@ -1427,9 +1429,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+/*
|
+/*
|
||||||
+ * finalize a provider shared libarary, it's no longer usable.
|
+ * finalize a provider shared library, it's no longer usable.
|
||||||
+ * however, there might still be keys referencing this provider,
|
+ * however, there might still be keys referencing this provider,
|
||||||
+ * so the actuall freeing of memory is handled by pkcs11_provider_unref().
|
+ * so the actual freeing of memory is handled by pkcs11_provider_unref().
|
||||||
+ * this is called when a provider gets unregistered.
|
+ * this is called when a provider gets unregistered.
|
||||||
+ */
|
+ */
|
||||||
+static void
|
+static void
|
||||||
@ -1446,15 +1448,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p
|
@@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov
|
||||||
static void
|
|
||||||
pkcs11_provider_unref(struct pkcs11_provider *p)
|
|
||||||
{
|
{
|
||||||
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
|
debug_f("provider \"%s\" refcount %d", p->name, p->refcount);
|
||||||
+ debug_f("%p refcount %d", p, p->refcount);
|
|
||||||
if (--p->refcount <= 0) {
|
if (--p->refcount <= 0) {
|
||||||
- if (p->valid)
|
- if (p->valid)
|
||||||
- error("pkcs11_provider_unref: %p still valid", p);
|
- error_f("provider \"%s\" still valid", p->name);
|
||||||
free(p->name);
|
free(p->name);
|
||||||
- free(p->slotlist);
|
- free(p->slotlist);
|
||||||
- free(p->slotinfo);
|
- free(p->slotinfo);
|
||||||
@ -1543,7 +1542,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
static RSA_METHOD *rsa_method;
|
static RSA_METHOD *rsa_method;
|
||||||
@@ -195,6 +283,55 @@ static EC_KEY_METHOD *ec_key_method;
|
@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
|
||||||
static int ec_key_idx = 0;
|
static int ec_key_idx = 0;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1599,7 +1598,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
/* release a wrapped object */
|
/* release a wrapped object */
|
||||||
static void
|
static void
|
||||||
pkcs11_k11_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
|
pkcs11_k11_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
|
||||||
@@ -208,6 +345,7 @@ pkcs11_k11_free(void *parent, void *ptr,
|
@@ -208,6 +348,7 @@ pkcs11_k11_free(void *parent, void *ptr,
|
||||||
if (k11->provider)
|
if (k11->provider)
|
||||||
pkcs11_provider_unref(k11->provider);
|
pkcs11_provider_unref(k11->provider);
|
||||||
free(k11->keyid);
|
free(k11->keyid);
|
||||||
@ -1607,7 +1606,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
free(k11);
|
free(k11);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -222,8 +360,8 @@ pkcs11_find(struct pkcs11_provider *p, C
|
@@ -222,8 +363,8 @@ pkcs11_find(struct pkcs11_provider *p, C
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
@ -1618,7 +1617,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
|
if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
|
||||||
error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
|
error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
|
||||||
return (-1);
|
return (-1);
|
||||||
@@ -262,12 +400,12 @@ pkcs11_login_slot(struct pkcs11_provider
|
@@ -262,12 +403,12 @@ pkcs11_login_slot(struct pkcs11_provider
|
||||||
else {
|
else {
|
||||||
snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
|
snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
|
||||||
si->token.label);
|
si->token.label);
|
||||||
@ -1633,7 +1632,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
(pin != NULL) ? strlen(pin) : 0);
|
(pin != NULL) ? strlen(pin) : 0);
|
||||||
if (pin != NULL)
|
if (pin != NULL)
|
||||||
freezero(pin, strlen(pin));
|
freezero(pin, strlen(pin));
|
||||||
@@ -297,13 +435,14 @@ pkcs11_login_slot(struct pkcs11_provider
|
@@ -297,13 +438,14 @@ pkcs11_login_slot(struct pkcs11_provider
|
||||||
static int
|
static int
|
||||||
pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
|
pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
|
||||||
{
|
{
|
||||||
@ -1650,7 +1649,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -319,13 +458,14 @@ pkcs11_check_obj_bool_attrib(struct pkcs
|
@@ -319,13 +461,14 @@ pkcs11_check_obj_bool_attrib(struct pkcs
|
||||||
|
|
||||||
*val = 0;
|
*val = 0;
|
||||||
|
|
||||||
@ -1668,7 +1667,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
attr.type = type;
|
attr.type = type;
|
||||||
attr.pValue = &flag;
|
attr.pValue = &flag;
|
||||||
@@ -356,13 +496,14 @@ pkcs11_get_key(struct pkcs11_key *k11, C
|
@@ -356,13 +499,14 @@ pkcs11_get_key(struct pkcs11_key *k11, C
|
||||||
int always_auth = 0;
|
int always_auth = 0;
|
||||||
int did_login = 0;
|
int did_login = 0;
|
||||||
|
|
||||||
@ -1686,7 +1685,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
|
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
|
||||||
if (pkcs11_login(k11, CKU_USER) < 0) {
|
if (pkcs11_login(k11, CKU_USER) < 0) {
|
||||||
@@ -439,8 +580,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
@@ -439,8 +583,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1697,7 +1696,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
tlen = RSA_size(rsa);
|
tlen = RSA_size(rsa);
|
||||||
|
|
||||||
/* XXX handle CKR_BUFFER_TOO_SMALL */
|
/* XXX handle CKR_BUFFER_TOO_SMALL */
|
||||||
@@ -484,7 +625,7 @@ pkcs11_rsa_start_wrapper(void)
|
@@ -484,7 +628,7 @@ pkcs11_rsa_start_wrapper(void)
|
||||||
/* redirect private key operations for rsa key to pkcs11 token */
|
/* redirect private key operations for rsa key to pkcs11 token */
|
||||||
static int
|
static int
|
||||||
pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
||||||
@ -1706,7 +1705,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
{
|
{
|
||||||
struct pkcs11_key *k11;
|
struct pkcs11_key *k11;
|
||||||
|
|
||||||
@@ -502,6 +643,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
@@ -502,6 +646,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||||
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
|
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1719,7 +1718,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
RSA_set_method(rsa, rsa_method);
|
RSA_set_method(rsa, rsa_method);
|
||||||
RSA_set_ex_data(rsa, rsa_idx, k11);
|
RSA_set_ex_data(rsa, rsa_idx, k11);
|
||||||
return (0);
|
return (0);
|
||||||
@@ -532,8 +679,8 @@ ecdsa_do_sign(const unsigned char *dgst,
|
@@ -532,8 +682,8 @@ ecdsa_do_sign(const unsigned char *dgst,
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1730,7 +1729,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
siglen = ECDSA_size(ec);
|
siglen = ECDSA_size(ec);
|
||||||
sig = xmalloc(siglen);
|
sig = xmalloc(siglen);
|
||||||
@@ -598,7 +745,7 @@ pkcs11_ecdsa_start_wrapper(void)
|
@@ -598,7 +748,7 @@ pkcs11_ecdsa_start_wrapper(void)
|
||||||
|
|
||||||
static int
|
static int
|
||||||
pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
||||||
@ -1739,7 +1738,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
{
|
{
|
||||||
struct pkcs11_key *k11;
|
struct pkcs11_key *k11;
|
||||||
|
|
||||||
@@ -614,6 +761,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider
|
@@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider
|
||||||
k11->keyid = xmalloc(k11->keyid_len);
|
k11->keyid = xmalloc(k11->keyid_len);
|
||||||
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
|
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
|
||||||
|
|
||||||
@ -1752,7 +1751,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
EC_KEY_set_method(ec, ec_key_method);
|
EC_KEY_set_method(ec, ec_key_method);
|
||||||
EC_KEY_set_ex_data(ec, ec_key_idx, k11);
|
EC_KEY_set_ex_data(ec, ec_key_idx, k11);
|
||||||
|
|
||||||
@@ -650,8 +803,8 @@ pkcs11_open_session(struct pkcs11_provid
|
@@ -650,8 +806,8 @@ pkcs11_open_session(struct pkcs11_provid
|
||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
int login_required, ret;
|
int login_required, ret;
|
||||||
|
|
||||||
@ -1763,7 +1762,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
login_required = si->token.flags & CKF_LOGIN_REQUIRED;
|
login_required = si->token.flags & CKF_LOGIN_REQUIRED;
|
||||||
|
|
||||||
@@ -661,9 +814,9 @@ pkcs11_open_session(struct pkcs11_provid
|
@@ -661,9 +817,9 @@ pkcs11_open_session(struct pkcs11_provid
|
||||||
error("pin required");
|
error("pin required");
|
||||||
return (-SSH_PKCS11_ERR_PIN_REQUIRED);
|
return (-SSH_PKCS11_ERR_PIN_REQUIRED);
|
||||||
}
|
}
|
||||||
@ -1775,7 +1774,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
if (login_required && pin != NULL && strlen(pin) != 0) {
|
if (login_required && pin != NULL && strlen(pin) != 0) {
|
||||||
@@ -699,7 +852,8 @@ static struct sshkey *
|
@@ -699,7 +855,8 @@ static struct sshkey *
|
||||||
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
CK_OBJECT_HANDLE *obj)
|
CK_OBJECT_HANDLE *obj)
|
||||||
{
|
{
|
||||||
@ -1785,7 +1784,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
@@ -713,14 +867,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -713,14 +870,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
|
|
||||||
memset(&key_attr, 0, sizeof(key_attr));
|
memset(&key_attr, 0, sizeof(key_attr));
|
||||||
key_attr[0].type = CKA_ID;
|
key_attr[0].type = CKA_ID;
|
||||||
@ -1806,7 +1805,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
return (NULL);
|
return (NULL);
|
||||||
@@ -731,19 +886,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -731,19 +889,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
* ensure that none of the others are zero length.
|
* ensure that none of the others are zero length.
|
||||||
* XXX assumes CKA_ID is always first.
|
* XXX assumes CKA_ID is always first.
|
||||||
*/
|
*/
|
||||||
@ -1830,7 +1829,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -755,8 +910,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -755,8 +913,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1841,7 +1840,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (group == NULL) {
|
if (group == NULL) {
|
||||||
ossl_error("d2i_ECPKParameters failed");
|
ossl_error("d2i_ECPKParameters failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -767,13 +922,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -767,13 +925,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1858,7 +1857,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (octet == NULL) {
|
if (octet == NULL) {
|
||||||
ossl_error("d2i_ASN1_OCTET_STRING failed");
|
ossl_error("d2i_ASN1_OCTET_STRING failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -790,7 +945,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -790,7 +948,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1867,7 +1866,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
key = sshkey_new(KEY_UNSPEC);
|
key = sshkey_new(KEY_UNSPEC);
|
||||||
@@ -806,7 +961,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
@@ -806,7 +964,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
|
||||||
ec = NULL; /* now owned by key */
|
ec = NULL; /* now owned by key */
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
@ -1876,7 +1875,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
free(key_attr[i].pValue);
|
free(key_attr[i].pValue);
|
||||||
if (ec)
|
if (ec)
|
||||||
EC_KEY_free(ec);
|
EC_KEY_free(ec);
|
||||||
@@ -823,7 +978,8 @@ static struct sshkey *
|
@@ -823,7 +981,8 @@ static struct sshkey *
|
||||||
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
CK_OBJECT_HANDLE *obj)
|
CK_OBJECT_HANDLE *obj)
|
||||||
{
|
{
|
||||||
@ -1886,7 +1885,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
@@ -834,14 +990,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
@@ -834,14 +993,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
||||||
|
|
||||||
memset(&key_attr, 0, sizeof(key_attr));
|
memset(&key_attr, 0, sizeof(key_attr));
|
||||||
key_attr[0].type = CKA_ID;
|
key_attr[0].type = CKA_ID;
|
||||||
@ -1907,7 +1906,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
return (NULL);
|
return (NULL);
|
||||||
@@ -852,19 +1009,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
@@ -852,19 +1012,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
||||||
* ensure that none of the others are zero length.
|
* ensure that none of the others are zero length.
|
||||||
* XXX assumes CKA_ID is always first.
|
* XXX assumes CKA_ID is always first.
|
||||||
*/
|
*/
|
||||||
@ -1931,7 +1930,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -876,8 +1033,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
@@ -876,8 +1036,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1942,7 +1941,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rsa_n == NULL || rsa_e == NULL) {
|
if (rsa_n == NULL || rsa_e == NULL) {
|
||||||
error("BN_bin2bn failed");
|
error("BN_bin2bn failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -886,7 +1043,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
@@ -886,7 +1046,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
||||||
fatal_f("set key");
|
fatal_f("set key");
|
||||||
rsa_n = rsa_e = NULL; /* transferred */
|
rsa_n = rsa_e = NULL; /* transferred */
|
||||||
|
|
||||||
@ -1951,7 +1950,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
key = sshkey_new(KEY_UNSPEC);
|
key = sshkey_new(KEY_UNSPEC);
|
||||||
@@ -901,7 +1058,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
@@ -901,7 +1061,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
|
||||||
rsa = NULL; /* now owned by key */
|
rsa = NULL; /* now owned by key */
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
@ -1960,7 +1959,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
free(key_attr[i].pValue);
|
free(key_attr[i].pValue);
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
|
|
||||||
@@ -912,7 +1069,8 @@ static int
|
@@ -912,7 +1072,8 @@ static int
|
||||||
pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp)
|
CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp)
|
||||||
{
|
{
|
||||||
@ -1970,7 +1969,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
@@ -936,14 +1094,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -936,14 +1097,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
|
|
||||||
memset(&cert_attr, 0, sizeof(cert_attr));
|
memset(&cert_attr, 0, sizeof(cert_attr));
|
||||||
cert_attr[0].type = CKA_ID;
|
cert_attr[0].type = CKA_ID;
|
||||||
@ -1991,7 +1990,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
return -1;
|
return -1;
|
||||||
@@ -955,18 +1114,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -955,18 +1117,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
* XXX assumes CKA_ID is always first.
|
* XXX assumes CKA_ID is always first.
|
||||||
*/
|
*/
|
||||||
if (cert_attr[1].ulValueLen == 0 ||
|
if (cert_attr[1].ulValueLen == 0 ||
|
||||||
@ -2014,7 +2013,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -980,8 +1140,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -980,8 +1143,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
subject = xstrdup("invalid subject");
|
subject = xstrdup("invalid subject");
|
||||||
X509_NAME_free(x509_name);
|
X509_NAME_free(x509_name);
|
||||||
|
|
||||||
@ -2025,7 +2024,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
error("d2i_x509 failed");
|
error("d2i_x509 failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1001,7 +1161,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -1001,7 +1164,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2034,7 +2033,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
key = sshkey_new(KEY_UNSPEC);
|
key = sshkey_new(KEY_UNSPEC);
|
||||||
@@ -1031,7 +1191,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -1031,7 +1194,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2043,7 +2042,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
key = sshkey_new(KEY_UNSPEC);
|
key = sshkey_new(KEY_UNSPEC);
|
||||||
@@ -1051,7 +1211,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
@@ -1051,7 +1214,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
@ -2052,7 +2051,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
free(cert_attr[i].pValue);
|
free(cert_attr[i].pValue);
|
||||||
X509_free(x509);
|
X509_free(x509);
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
@@ -1102,11 +1262,12 @@ note_key(struct pkcs11_provider *p, CK_U
|
@@ -1102,11 +1265,12 @@ note_key(struct pkcs11_provider *p, CK_U
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
@ -2067,7 +2066,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
@@ -1123,10 +1284,23 @@ pkcs11_fetch_certs(struct pkcs11_provide
|
@@ -1123,10 +1287,23 @@ pkcs11_fetch_certs(struct pkcs11_provide
|
||||||
key_attr[0].pValue = &key_class;
|
key_attr[0].pValue = &key_class;
|
||||||
key_attr[0].ulValueLen = sizeof(key_class);
|
key_attr[0].ulValueLen = sizeof(key_class);
|
||||||
|
|
||||||
@ -2094,7 +2093,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_FindObjectsInit failed: %lu", rv);
|
error("C_FindObjectsInit failed: %lu", rv);
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -1207,11 +1381,12 @@ fail:
|
@@ -1207,11 +1384,12 @@ fail:
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
@ -2109,7 +2108,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
@@ -1227,10 +1402,23 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
@@ -1227,10 +1405,23 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
||||||
key_attr[0].pValue = &key_class;
|
key_attr[0].pValue = &key_class;
|
||||||
key_attr[0].ulValueLen = sizeof(key_class);
|
key_attr[0].ulValueLen = sizeof(key_class);
|
||||||
|
|
||||||
@ -2127,16 +2126,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
+ key_attr[nattr].ulValueLen = strlen(uri->object);
|
+ key_attr[nattr].ulValueLen = strlen(uri->object);
|
||||||
+ nattr++;
|
+ nattr++;
|
||||||
+ }
|
+ }
|
||||||
+
|
|
||||||
+ session = p->module->slotinfo[slotidx].session;
|
|
||||||
+ f = p->module->function_list;
|
|
||||||
|
|
||||||
- rv = f->C_FindObjectsInit(session, key_attr, 1);
|
- rv = f->C_FindObjectsInit(session, key_attr, 1);
|
||||||
|
+ session = p->module->slotinfo[slotidx].session;
|
||||||
|
+ f = p->module->function_list;
|
||||||
|
+
|
||||||
+ rv = f->C_FindObjectsInit(session, key_attr, nattr);
|
+ rv = f->C_FindObjectsInit(session, key_attr, nattr);
|
||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
error("C_FindObjectsInit failed: %lu", rv);
|
error("C_FindObjectsInit failed: %lu", rv);
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct
|
@@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct
|
||||||
}
|
}
|
||||||
#endif /* WITH_PKCS11_KEYGEN */
|
#endif /* WITH_PKCS11_KEYGEN */
|
||||||
|
|
||||||
@ -2155,7 +2154,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
void *handle = NULL;
|
void *handle = NULL;
|
||||||
@@ -1517,164 +1699,298 @@ pkcs11_register_provider(char *provider_
|
@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_TOKEN_INFO *token;
|
CK_TOKEN_INFO *token;
|
||||||
CK_ULONG i;
|
CK_ULONG i;
|
||||||
@ -2241,17 +2240,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
error("C_GetInfo for provider %s failed: %lu",
|
error("C_GetInfo for provider %s failed: %lu",
|
||||||
- provider_id, rv);
|
- provider_id, rv);
|
||||||
+ provider_module, rv);
|
+ provider_module, rv);
|
||||||
goto fail;
|
+ goto fail;
|
||||||
}
|
+ }
|
||||||
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
|
|
||||||
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
|
|
||||||
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
||||||
+ if (uri->lib_manuf != NULL &&
|
+ if (uri->lib_manuf != NULL &&
|
||||||
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
||||||
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
||||||
+ m->info.manufacturerID);
|
+ m->info.manufacturerID);
|
||||||
+ goto fail;
|
goto fail;
|
||||||
+ }
|
}
|
||||||
|
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
|
||||||
|
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
|
||||||
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
||||||
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
|
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
|
||||||
" libraryDescription <%s> libraryVersion %d.%d",
|
" libraryDescription <%s> libraryVersion %d.%d",
|
||||||
@ -2529,7 +2528,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
/* no keys found or some other error, de-register provider */
|
/* no keys found or some other error, de-register provider */
|
||||||
if (nkeys <= 0 && p != NULL) {
|
if (nkeys <= 0 && p != NULL) {
|
||||||
@@ -1683,7 +1999,37 @@ pkcs11_add_provider(char *provider_id, c
|
@@ -1683,7 +2002,37 @@ pkcs11_add_provider(char *provider_id, c
|
||||||
pkcs11_provider_unref(p);
|
pkcs11_provider_unref(p);
|
||||||
}
|
}
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
@ -2568,9 +2567,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
return (nkeys);
|
return (nkeys);
|
||||||
}
|
}
|
||||||
diff -up openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11.h
|
diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h
|
||||||
--- openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200
|
--- openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
|
||||||
+++ openssh-8.6p1/ssh-pkcs11.h 2021-04-19 14:57:30.320370580 +0200
|
+++ openssh-8.7p1/ssh-pkcs11.h 2021-08-30 13:07:43.666700121 +0200
|
||||||
@@ -22,10 +22,14 @@
|
@@ -22,10 +22,14 @@
|
||||||
#define SSH_PKCS11_ERR_PIN_REQUIRED 4
|
#define SSH_PKCS11_ERR_PIN_REQUIRED 4
|
||||||
#define SSH_PKCS11_ERR_PIN_LOCKED 5
|
#define SSH_PKCS11_ERR_PIN_LOCKED 5
|
||||||
@ -2586,9 +2585,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11.h
|
|||||||
#ifdef WITH_PKCS11_KEYGEN
|
#ifdef WITH_PKCS11_KEYGEN
|
||||||
struct sshkey *
|
struct sshkey *
|
||||||
pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int,
|
pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int,
|
||||||
diff -up openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri.c
|
diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c
|
||||||
--- openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-04-19 14:57:30.318370565 +0200
|
--- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200
|
||||||
+++ openssh-8.6p1/ssh-pkcs11-uri.c 2021-04-19 14:57:30.318370565 +0200
|
+++ openssh-8.7p1/ssh-pkcs11-uri.c 2021-08-30 13:07:43.667700130 +0200
|
||||||
@@ -0,0 +1,419 @@
|
@@ -0,0 +1,419 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
@ -3009,9 +3008,9 @@ diff -up openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri.
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif /* ENABLE_PKCS11 */
|
+#endif /* ENABLE_PKCS11 */
|
||||||
diff -up openssh-8.6p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri.h
|
diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h
|
||||||
--- openssh-8.6p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-04-19 14:57:30.318370565 +0200
|
--- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200
|
||||||
+++ openssh-8.6p1/ssh-pkcs11-uri.h 2021-04-19 14:57:30.318370565 +0200
|
+++ openssh-8.7p1/ssh-pkcs11-uri.h 2021-08-30 13:07:43.667700130 +0200
|
||||||
@@ -0,0 +1,42 @@
|
@@ -0,0 +1,42 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
|
@ -1,320 +0,0 @@
|
|||||||
diff --git a/channels.c b/channels.c
|
|
||||||
index 32d1f617..0024f751 100644
|
|
||||||
--- a/channels.c
|
|
||||||
+++ b/channels.c
|
|
||||||
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* enable nonblocking mode */
|
|
||||||
- if (nonblock) {
|
|
||||||
+ c->restore_block = 0;
|
|
||||||
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
|
|
||||||
+ /*
|
|
||||||
+ * Special handling for stdio file descriptors: do not set
|
|
||||||
+ * non-blocking mode if they are TTYs. Otherwise prepare to
|
|
||||||
+ * restore their blocking state on exit to avoid interfering
|
|
||||||
+ * with other programs that follow.
|
|
||||||
+ */
|
|
||||||
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_RFD;
|
|
||||||
+ set_nonblock(rfd);
|
|
||||||
+ }
|
|
||||||
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_WFD;
|
|
||||||
+ set_nonblock(wfd);
|
|
||||||
+ }
|
|
||||||
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_EFD;
|
|
||||||
+ set_nonblock(efd);
|
|
||||||
+ }
|
|
||||||
+ } else if (nonblock) {
|
|
||||||
if (rfd != -1)
|
|
||||||
set_nonblock(rfd);
|
|
||||||
if (wfd != -1)
|
|
||||||
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc)
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-channel_close_fd(struct ssh *ssh, int *fdp)
|
|
||||||
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
|
|
||||||
{
|
|
||||||
struct ssh_channels *sc = ssh->chanctxt;
|
|
||||||
- int ret = 0, fd = *fdp;
|
|
||||||
+ int ret, fd = *fdp;
|
|
||||||
|
|
||||||
- if (fd != -1) {
|
|
||||||
- ret = close(fd);
|
|
||||||
- *fdp = -1;
|
|
||||||
- if (fd == sc->channel_max_fd)
|
|
||||||
- channel_find_maxfd(sc);
|
|
||||||
- }
|
|
||||||
+ if (fd == -1)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
|
|
||||||
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
|
|
||||||
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
|
|
||||||
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
|
|
||||||
+
|
|
||||||
+ ret = close(fd);
|
|
||||||
+ *fdp = -1;
|
|
||||||
+ if (fd == sc->channel_max_fd)
|
|
||||||
+ channel_find_maxfd(sc);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c)
|
|
||||||
{
|
|
||||||
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
|
|
||||||
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
if (rfd != sock)
|
|
||||||
- channel_close_fd(ssh, &c->rfd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->rfd);
|
|
||||||
if (wfd != sock && wfd != rfd)
|
|
||||||
- channel_close_fd(ssh, &c->wfd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->wfd);
|
|
||||||
if (efd != sock && efd != rfd && efd != wfd)
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh)
|
|
||||||
case SSH_CHANNEL_X11_LISTENER:
|
|
||||||
case SSH_CHANNEL_UNIX_LISTENER:
|
|
||||||
case SSH_CHANNEL_RUNIX_LISTENER:
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
channel_free(ssh, c);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
|
|
||||||
|
|
||||||
Channel *
|
|
||||||
channel_connect_stdio_fwd(struct ssh *ssh,
|
|
||||||
- const char *host_to_connect, u_short port_to_connect, int in, int out)
|
|
||||||
+ const char *host_to_connect, u_short port_to_connect,
|
|
||||||
+ int in, int out, int nonblock)
|
|
||||||
{
|
|
||||||
Channel *c;
|
|
||||||
|
|
||||||
@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh,
|
|
||||||
|
|
||||||
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
|
|
||||||
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
|
|
||||||
- 0, "stdio-forward", /*nonblock*/0);
|
|
||||||
+ 0, "stdio-forward", nonblock);
|
|
||||||
|
|
||||||
c->path = xstrdup(host_to_connect);
|
|
||||||
c->host_port = port_to_connect;
|
|
||||||
@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c,
|
|
||||||
if (c->single_connection) {
|
|
||||||
oerrno = errno;
|
|
||||||
debug2("single_connection: closing X11 listener.");
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
chan_mark_dead(ssh, c);
|
|
||||||
errno = oerrno;
|
|
||||||
}
|
|
||||||
@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c,
|
|
||||||
return 1;
|
|
||||||
if (len <= 0) {
|
|
||||||
debug2("channel %d: closing write-efd %d", c->self, c->efd);
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
} else {
|
|
||||||
if ((r = sshbuf_consume(c->extended, len)) != 0)
|
|
||||||
fatal_fr(r, "channel %i: consume", c->self);
|
|
||||||
@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c,
|
|
||||||
return 1;
|
|
||||||
if (len <= 0) {
|
|
||||||
debug2("channel %d: closing read-efd %d", c->self, c->efd);
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
} else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
|
|
||||||
debug3("channel %d: discard efd", c->self);
|
|
||||||
else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
|
|
||||||
diff --git a/channels.h b/channels.h
|
|
||||||
index 378d987c..6bf86b00 100644
|
|
||||||
--- a/channels.h
|
|
||||||
+++ b/channels.h
|
|
||||||
@@ -63,6 +63,16 @@
|
|
||||||
|
|
||||||
#define CHANNEL_CANCEL_PORT_STATIC -1
|
|
||||||
|
|
||||||
+/* nonblocking flags for channel_new */
|
|
||||||
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
|
|
||||||
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
|
|
||||||
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
|
|
||||||
+
|
|
||||||
+/* c->restore_block mask flags */
|
|
||||||
+#define CHANNEL_RESTORE_RFD 0x01
|
|
||||||
+#define CHANNEL_RESTORE_WFD 0x02
|
|
||||||
+#define CHANNEL_RESTORE_EFD 0x04
|
|
||||||
+
|
|
||||||
/* TCP forwarding */
|
|
||||||
#define FORWARD_DENY 0
|
|
||||||
#define FORWARD_REMOTE (1)
|
|
||||||
@@ -139,6 +149,7 @@ struct Channel {
|
|
||||||
* to a matching pre-select handler.
|
|
||||||
* this way post-select handlers are not
|
|
||||||
* accidentally called if a FD gets reused */
|
|
||||||
+ int restore_block; /* fd mask to restore blocking status */
|
|
||||||
struct sshbuf *input; /* data read from socket, to be sent over
|
|
||||||
* encrypted connection */
|
|
||||||
struct sshbuf *output; /* data received over encrypted connection for
|
|
||||||
@@ -266,7 +277,7 @@ void channel_register_filter(struct ssh *, int, channel_infilter_fn *,
|
|
||||||
void channel_register_status_confirm(struct ssh *, int,
|
|
||||||
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
|
|
||||||
void channel_cancel_cleanup(struct ssh *, int);
|
|
||||||
-int channel_close_fd(struct ssh *, int *);
|
|
||||||
+int channel_close_fd(struct ssh *, Channel *, int *);
|
|
||||||
void channel_send_window_changes(struct ssh *);
|
|
||||||
|
|
||||||
/* mux proxy support */
|
|
||||||
@@ -313,7 +324,7 @@ Channel *channel_connect_to_port(struct ssh *, const char *, u_short,
|
|
||||||
char *, char *, int *, const char **);
|
|
||||||
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
|
|
||||||
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
|
|
||||||
- u_short, int, int);
|
|
||||||
+ u_short, int, int, int);
|
|
||||||
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
|
|
||||||
u_short, char *, char *);
|
|
||||||
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
|
|
||||||
diff --git a/clientloop.c b/clientloop.c
|
|
||||||
index 219f0e90..bdd67686 100644
|
|
||||||
--- a/clientloop.c
|
|
||||||
+++ b/clientloop.c
|
|
||||||
@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
|
||||||
if (have_pty)
|
|
||||||
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
|
|
||||||
|
|
||||||
- /* restore blocking io */
|
|
||||||
- if (!isatty(fileno(stdin)))
|
|
||||||
- unset_nonblock(fileno(stdin));
|
|
||||||
- if (!isatty(fileno(stdout)))
|
|
||||||
- unset_nonblock(fileno(stdout));
|
|
||||||
- if (!isatty(fileno(stderr)))
|
|
||||||
- unset_nonblock(fileno(stderr));
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* If there was no shell or command requested, there will be no remote
|
|
||||||
* exit status to be returned. In that case, clear error code if the
|
|
||||||
diff --git a/mux.c b/mux.c
|
|
||||||
index faf4ef1e..9454bfed 100644
|
|
||||||
--- a/mux.c
|
|
||||||
+++ b/mux.c
|
|
||||||
@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
|
|
||||||
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
|
|
||||||
error_f("tcgetattr: %s", strerror(errno));
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(new_fd[0]))
|
|
||||||
- set_nonblock(new_fd[0]);
|
|
||||||
- if (!isatty(new_fd[1]))
|
|
||||||
- set_nonblock(new_fd[1]);
|
|
||||||
- if (!isatty(new_fd[2]))
|
|
||||||
- set_nonblock(new_fd[2]);
|
|
||||||
-
|
|
||||||
window = CHAN_SES_WINDOW_DEFAULT;
|
|
||||||
packetmax = CHAN_SES_PACKET_DEFAULT;
|
|
||||||
if (cctx->want_tty) {
|
|
||||||
@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
|
|
||||||
|
|
||||||
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
|
|
||||||
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
|
|
||||||
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
|
|
||||||
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
|
|
||||||
|
|
||||||
nc->ctl_chan = c->self; /* link session -> control channel */
|
|
||||||
c->remote_id = nc->self; /* link control -> session channel */
|
|
||||||
@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(new_fd[0]))
|
|
||||||
- set_nonblock(new_fd[0]);
|
|
||||||
- if (!isatty(new_fd[1]))
|
|
||||||
- set_nonblock(new_fd[1]);
|
|
||||||
-
|
|
||||||
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
|
|
||||||
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
|
|
||||||
+ CHANNEL_NONBLOCK_STDIO);
|
|
||||||
free(chost);
|
|
||||||
|
|
||||||
nc->ctl_chan = c->self; /* link session -> control channel */
|
|
||||||
diff --git a/nchan.c b/nchan.c
|
|
||||||
index 4a4494b8..7ef3a350 100644
|
|
||||||
--- a/nchan.c
|
|
||||||
+++ b/nchan.c
|
|
||||||
@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c)
|
|
||||||
c->istate, c->ostate, strerror(errno));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- if (channel_close_fd(ssh, &c->wfd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
|
|
||||||
logit_f("channel %d: close() failed for "
|
|
||||||
"fd %d [i%d o%d]: %.100s", c->self, c->wfd,
|
|
||||||
c->istate, c->ostate, strerror(errno));
|
|
||||||
@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c)
|
|
||||||
c->istate, c->ostate, strerror(errno));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- if (channel_close_fd(ssh, &c->rfd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
|
|
||||||
logit_f("channel %d: close() failed for "
|
|
||||||
"fd %d [i%d o%d]: %.100s", c->self, c->rfd,
|
|
||||||
c->istate, c->ostate, strerror(errno));
|
|
||||||
@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c)
|
|
||||||
debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])",
|
|
||||||
c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd,
|
|
||||||
channel_format_extended_usage(c));
|
|
||||||
- if (channel_close_fd(ssh, &c->efd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
|
|
||||||
logit_f("channel %d: close() failed for "
|
|
||||||
"extended fd %d [i%d o%d]: %.100s", c->self, c->efd,
|
|
||||||
c->istate, c->ostate, strerror(errno));
|
|
||||||
diff --git a/ssh.c b/ssh.c
|
|
||||||
index 696dc3bc..6243db76 100644
|
|
||||||
--- a/ssh.c
|
|
||||||
+++ b/ssh.c
|
|
||||||
@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh)
|
|
||||||
|
|
||||||
if ((in = dup(STDIN_FILENO)) == -1 ||
|
|
||||||
(out = dup(STDOUT_FILENO)) == -1)
|
|
||||||
- fatal("channel_connect_stdio_fwd: dup() in/out failed");
|
|
||||||
+ fatal_f("dup() in/out failed");
|
|
||||||
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
|
|
||||||
- options.stdio_forward_port, in, out)) == NULL)
|
|
||||||
+ options.stdio_forward_port, in, out,
|
|
||||||
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
|
|
||||||
fatal_f("channel_connect_stdio_fwd failed");
|
|
||||||
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
|
|
||||||
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
|
|
||||||
@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh)
|
|
||||||
if (in == -1 || out == -1 || err == -1)
|
|
||||||
fatal("dup() in/out/err failed");
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(in))
|
|
||||||
- set_nonblock(in);
|
|
||||||
- if (!isatty(out))
|
|
||||||
- set_nonblock(out);
|
|
||||||
- if (!isatty(err))
|
|
||||||
- set_nonblock(err);
|
|
||||||
-
|
|
||||||
window = CHAN_SES_WINDOW_DEFAULT;
|
|
||||||
packetmax = CHAN_SES_PACKET_DEFAULT;
|
|
||||||
if (tty_flag) {
|
|
||||||
@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh)
|
|
||||||
c = channel_new(ssh,
|
|
||||||
"session", SSH_CHANNEL_OPENING, in, out, err,
|
|
||||||
window, packetmax, CHAN_EXTENDED_WRITE,
|
|
||||||
- "client-session", /*nonblock*/0);
|
|
||||||
+ "client-session", CHANNEL_NONBLOCK_STDIO);
|
|
||||||
|
|
||||||
debug3_f("channel_new: %d", c->self);
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
|
|
||||||
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
|
|
||||||
@@ -34,7 +34,7 @@
|
|
||||||
|
|
||||||
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
|
||||||
#define SSH_BUG_SIGTYPE 0x00000002
|
|
||||||
-/* #define unused 0x00000004 */
|
|
||||||
+#define SSH_BUG_SIGTYPE74 0x00000004
|
|
||||||
/* #define unused 0x00000008 */
|
|
||||||
#define SSH_OLD_SESSIONID 0x00000010
|
|
||||||
/* #define unused 0x00000020 */
|
|
||||||
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
|
|
||||||
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
|
|
||||||
@@ -65,11 +65,12 @@
|
|
||||||
{ "OpenSSH_6.5*,"
|
|
||||||
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
|
|
||||||
SSH_BUG_SIGTYPE},
|
|
||||||
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
|
|
||||||
+ SSH_BUG_SIGTYPE74},
|
|
||||||
{ "OpenSSH_7.0*,"
|
|
||||||
"OpenSSH_7.1*,"
|
|
||||||
"OpenSSH_7.2*,"
|
|
||||||
"OpenSSH_7.3*,"
|
|
||||||
- "OpenSSH_7.4*,"
|
|
||||||
"OpenSSH_7.5*,"
|
|
||||||
"OpenSSH_7.6*,"
|
|
||||||
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
|
|
||||||
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
|
|
||||||
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
|
|
||||||
@@ -1305,6 +1305,26 @@
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
free(oallowed);
|
|
||||||
+ /*
|
|
||||||
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
|
|
||||||
+ * support. For that release, check the local policy against the
|
|
||||||
+ * SHA2 signature types.
|
|
||||||
+ */
|
|
||||||
+ if (alg == NULL &&
|
|
||||||
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
|
|
||||||
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
|
|
||||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
|
||||||
+ if (sshkey_type_from_name(cp) != key->type)
|
|
||||||
+ continue;
|
|
||||||
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
|
|
||||||
+ if (tmp != NULL)
|
|
||||||
+ alg = xstrdup(cp);
|
|
||||||
+ free(tmp);
|
|
||||||
+ if (alg != NULL)
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ free(oallowed);
|
|
||||||
+ }
|
|
||||||
return alg;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user